On 6 Dec 2001, at 12:16, Paul Robertson wrote: > On Wed, 5 Dec 2001, Richard Saddington wrote: > > > The point I was hoping to get feedback on was altering an existing rulebase > > to incorporate changes in an organisations security policy. Should the whole > > rulebase be reworked or can extra rules just be added to the end? Then comes > > the issue of performance, should rules that permit the most amount of > > traffic be given priority over more defined rules? > > Rules for some devices (such as Cisco routers) work on a "first > match" basis, and in that case __absolutely__ should be ordered by > traffic load. For other traffic, or complex setups, it's really a > call based on profile and interaction. If rules are fairly simple, > and stand-alone, then it always makes sense to match on volume > first for the higest volume protocols.
This is, however, perhaps a good place to segue back to what *I* thought this thread was about. 1. Cisco access lists must -- on the versions I've used, and this may have changed in recent releases -- be typed in in exactly the right order, and there's no provision for reordering them once entered. If you want to make a change, you have to enter an entire new list. 2. When NetScreen went, I believe, form version 1.x to 2.x, one of the major improvements was the replacement, in their GUI, of the old "move this rule up/down one slot" with "move this rule to just before/after rule X". If you have four or five screenfuls of rules, and need to add one near the beginning of the list, this is a tremendous time-saver! There could be arguments that a hard-to-modify rulebase encourages planning and stability in a network's security policy. On the other hand, making it easier to tweak the rulebase makes it easier to correct deficiencies, rather than live with them because fixing them would take too much effort. So there are arguents on both sides of this question. DG _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
